a space for me to share weird problems and hacks i encounter in my profession

torsdag den 22. september 2011

Claims authentication made simple

I promised an simple example on how to authenticate against ADFS and get a token back. I honestly don’t think this code is production ready, but when your messing around with all this, it truly helps having some working example code to get a better understanding of what's going on.

So here a little solution to get you started.

Project ClaimsAuthenticationThis contains all the code needed to authenticate against an Secure Token Service. Most code is wrapped up to talk with Active Directory Federation Service 2.0, but it could be any STS that understands SAML 2.0 and WS-Federation.

Project CloudAPIIs an simple wrapper class used to call a web service that implements claimsbased authentication. I added it to give a few examples on how to get a token and then use it to authenticate with.

Project ClaimsAuthenticationTestIs a windows forms application that shows how to use the 2 other classes. In a fairly simple way, it try to make it simple to test Asymmetric/Symmetric/Bearer token types; How to use Windows/UserName/Certificate and IssuedToken Authentication schemes; And as a little goody, I also wrapped up a simple way to authenticate against an ADFS server, and then get back a FedAuth Cookie, that is needed when talking with SharePoint 2010. I also added a an example on how to upload and download from SharePoint 2010 after authentication.

Lets have a short look at what all this is. IF you download and run the sample you will see this

On the left you have the basic information needed to authenticate against an Secure Token Service ( here called Identity Provider )

If you choose to authenticate by UserName, fill out username and password

And that’s it. If everything goes well, you will see “Token” on the right side show how long the token is valid for. If you choose bearer or if you have loaded a certificate with the private key for a Symmetric encrypted token. Claims will show you all the claims inside the token.

If you can get a token, you can now try and type in the URL of an SharePoint 2010 website in “SharePoint URI” and click “Get FedAuth”. The the 2 list box's in the bottom left corner will show all SharePoint list’s and all items inside each list. You can also upload and download files to the lists or delete items.

In the bottom right corner is 3 buttons. Each one represent different ways of talking with a Web Service that implements Claimsbased authentication. Note here ActAs is issued to “impersonate” another user though he's token. And require you to have permission to do this. If on the other hand you have an token with Symmetric signed claims you can reuse this token to authenticate again using “IssuedToken”. ( hint hint. This is why you want to sign your claims )

Project compiles fine under both .NET version 3.5 and 4.0 .. When you swap to 3.5 you will get 2 errors. Read my remarks above those 2 lines.